George Osborne's understanding of cybersecurity is worrying

Whitehall street sign outside the Cabinet Office

George Osborne said the word 'cyber' 134 times in his 45-minute speech to GCHQ earlier this week.

They say that talk is cheap, but in this case it could turn out to be quite expensive. Not only does Osborne plan to double cybersecurity spending to 1.9 billion over the next five years, but the proposals he set out in his speech will be expensive in terms of protecting our data and our critical national infrastructure.

If you include the Snooper's Charter in all this, the government's measures could ultimately cost us our freedom.

Why such a negative reaction to the words of Mr Austerity? Well, reading through the transcript of his speech, it's clear that while Osborne gets some things right, he also gets an awful lot wrong.

I'm not going to argue with Osborne when he says that "citizens need to follow basic rules of keeping themselves safe: installing security software, downloading software updates, using strong passwords".

Nor when he states that "companies need to protect their own networks, and harden themselves against cyber attack": all of this makes perfect sense.

Where things go a little pear-shaped, however, is when Osborne claims that "only government can defend against the most sophisticated threats".

This is patently nonsense. Governments the world over have proven time after time that they are incapable of defending against the least sophisticated threats, and data breach after data breach is proof of that.

If you want more proof, then Osborne went on to praise GCHQ, saying that "it has an unmatched understanding of the internet and of how to keep information safe", which again I would take some issue with.

This is the organisation whose recent advice includes that "complex passwords do not usually frustrate attackers" and "by simplifying your organisation's approach, you can reduce the workload on users, lessen the support burden on IT department, and combat the false sense of security that unnecessarily complex passwords can encourage.

Ciaran Martin is Director General of Cyber Security at GCHQ, and the man who gave that advice, along with the ripe old chestnut that is "regular password changing harms rather than improves security, so avoid placing this burden on users".

Of course, this kind of advice isn't for 'high value individuals' like Martin, but for the rest of us plebs. Then there was the occasion a couple of years back when GCHQ was found to be sending passwords by email in plaintext to would-be spies.

As part of his five-step plan to protect the UK from cyber attack, Osborne will introduce a single National Cyber Centre, reporting to the GCHQ, to replace the "alphabet soup of agencies involved in protecting Britain in cyberspace".

Apparently this will make it easier for government and industry to share information on cyber threats, though I'm not exactly sure how this new organisation is that much different to when "a unified and integrated response to the threat of cyber attack" was established in 2011 in the shape of the Defence Cyber Security Programme, or the Joint Cyber Reserve in 2013, which promised "a dedicated capability to counter-attack in cyberspace".

It's these inconsistencies in what he is saying now, and what has been said and done in the recent past, that annoy and worry me in equal measure.

But it doesn't stop there - Osborne went on to claim that the government has built cybersecurity into "every stage of the education process", and that its cyber apprentices will ensure we have enough talent to fill cyber vacancies.

Erm, excuse me? Isn't there a well-acknowledged skills gap when it comes to cybersecurity?

Even Osborne himself admits that the cyber workforce gap could hit 1.5 million by 2020. So to claim that efforts over the last five years have led to Britain being regarded as "top or near top in the world" when it comes to cyber defence capability is, frankly, laughable.

Osborne then backtracked a little, within a few breaths, to add "we are not winning as often as we need to against those who would hurt us in cyberspace". Indeed, anyone who reads the news knows that data breaches are on the up. Many who work within the IT security industry will tell you we are not only losing lots of battles, but the war as well.

Just throwing money at cybersecurity is not enough, and has never been enough. That the government can find a spare 1.9 billion over the next five years for cybersecurity investment, at a time of austerity measures almost everywhere else, is one thing.

Ensuring the money is well spent is quite another thing. Regular readers will know that I have something of a mantra which goes 'it ain't what you spend, it's the way that you spend it, that's what gets results'.

It remains to be seen just how ambitious, and just how successful, the programme to train young people with cyber talent will be.

The announcement that things are kicking off with a competitive bidding process to open a new Institute of Coding is a start. But without the education of end users in security smarts, as well as skilling up potential IT security graduates, I fear we will not move on from the situation we find ourselves, in where we are chasing our tails as the bad guys get access to increasingly dumbed down tools to launch increasingly advanced attacks.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at